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Opening Statement of Chairman Torn Davis 

Good morning and welcome. A quorum being present the 
Committee on Government Reform will come to order. Today, 
the Committee is releasing its federal computer security 
scorecards and will examine the status of agency compiiance 
with the Federal Information Security Management Act 
(FISMA). 

information technology and the Internet drive our economy 
and help the federal government operate with greater 
efficiency and cost savings, E-commerce, information 
sharing, and Internet transactions, such as online tax filing, 
are so commonplace that we take them for granted. Not until 
an incident such as the potential Blackberry shutdown - 
which was recently settled - are we reminded of our 
dependence on IT and how difficult it is for us to function 
without it. 

In the past year or so ; we have heard stories about identity 
theft, security breaches in large commercial databases, and 
phishing scams such as those identified by the Internal 
Revenue Service this tax season. We have also seen an 
Increase in education and awareness campaigns for online 
safety spearheaded by the private and public sectors. But in 
my experience, when it comes to federal IT policy and 
information security, it is still difficult to get people - even 
members of Congress - engaged. For most people this is an 
abstract, inslde-the-Beitway issue. And FISMA is still viewed 
by some federal agencies as a paperwork exercise. But these 
are short-sighted observations. As a result of the 
government's aggressive push to advance e-government 
many government information systems hold personal 
information about citizens and employees, in addition to other 
types of data. Maintaining the integrity, privacy, and 
availability of all information in these systems is vital to our 
national security, continuity of operations, and economy. 

Furthermore, in order to successfully fight the war on terror, 
we must be able to move information to the right people at 
the right place and time. Information needs to move 
seamlessly, securely, and efficiently within agencies, across 
departments, and across jurisdictions of government as well, 

Due to the nature of our cyber infrastructure, an attack could 
originate anywhere at any time. We know that government 
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systems are prime targets for hackers, terrorists, hostile 
foreign governments, and identity thieves. Malicious or 
unintended security threats come in varied forms: denial of 
service attacks, malware, worms and viruses, phishing 
scams, and software weaknesses, to name a few. Any of 
these threats can compromise our information systems. The 
results wouid be costly, disruptive, and erode public trust in 
government. 



Officer, U.S. Social Security 

Administration 



Testimony of Mr. Robert F. Lentz, 
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Office of the Assistant Secretary. 



for Networks and Integ ration, 
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Department of Homeland 
Security 



One of the best ways to defend against attacks is to have a 

strong, yet flexible, protection policy in place. We want 

agencies to actively protect their systems instead of just 

reacting to the latest threat with patches and other responses. 

FISMA accomplishes this goal by requiring each agency to 

create a comprehensive risk-based approach to agency-wide 

information security management FISMA strengthens 

Federal cyber preparedness, evaluation, and reporting 

requirements. It's intended to make security management an 

integral part of an agency's operations, and to ensure that we are actively using best practices to 

secure our systems and prevent devastating damage. 

The Committee, with technical assistance from GAO, releases annual scorecards based on the 
FISMA reports submitted to us by agency Chief Information Officers and Inspectors General. This 
year, the federal government as a whole hardly improved, receiving a D+ yet again. Our analysis 
reveals that the scores for the Departments of Defense, Homeland Security, Justice, State - the 
agencies on the front line in the war on terror - remained unacceptably low or dropped precipitously. 
Meanwhile, several agencies improved their information security or maintained a consistently high 
level of security from previous years. 

The 2005 FISMA grades indicate that agencies have made improvements in developing 
configuration management plans, employee security training, developing and maintaining an 
inventory, certifying and accrediting systems, and annual testing. Despite these advances, there are 
still some areas of concern to the Committee, including implementation of configuration 
management policies, specialized security training for employees with significant security 
responsibilities, inconsistent incident reporting, inconsistencies in contingency plan testing, annual 
testing of security controls, and agency responsibility for contractor systems. 

At today's hearing, we will evaluate the results of the agencies' 2005 FISMA reports, identify 
strengths and weaknesses in government information security, and learn whether FISMA provisions 
and the OMB guidance are sufficient to help secure government information systems. Witnesses 
from GAO and OMB will help us understand what obstacles impede the government's ability to 
comply with FISMA. DOD and DHS witnesses will discuss the challenges they face in their 
departments and their plans to improve FISMA compliance. We will also hear about best practices 
and lessons learned from the Social Security Administration and Department of Labor, two agencies 
that have demonstrated consistent improvements in their information security since the scorecard 
process was initiated in 2001 . 

If FISMA was the No Child Left Behind Act, a lot of critical agencies wouid be on the list of low 
performers/' None of us would accept D+ grades on our children's report cards. We can't accept 
these either. 
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mpieie 


GOVERNMENTWIDE GRADE 2005: D+ 




2005 


2004 




2005 


2004 


AGENCY FOR INTERNATIONAL 
DEVELOPMENT 


A+ 


A+ 


DEPARTMENT OF COMMERCE 


D+ 


F 


DEPARTMENT OF LABOR 


A+ 


B- 


DEPARTMENT OF JUSTICE 


D 


B- 


SOCIAL SECURITY 
ADMINISTRATION 


A+ 


B 


NUCLEAR REGULATORY 
COMMISSION 


D- 


B+ 


OFFICE OF PERSONNEL 
MANAGEMENT 


A+ 


C- 


DEPARTMENT OF TREASURY 


D- 


D+ 


ENVIRONMENTAL PROTECTION 
AGENCY 


A+ 


B 


DEPARTMENT OF ENERGY 


F 


F 


NATIONAL SCIENCE FOUNDATION 


A 


C+ 


DEPARTMENT OF VETERANS 
AFAIRS 


F 


F 


GENERAL SERVICES 
ADMINISTRATION 


A- 


C+ 


DEPARTMENT OF HEALTH AND 
HUMAN SERVICES 


F 


F 


NATIONAL AERONAUTICS AND 
SPACE ADMINISTRATION 


B- 


D- 


DEPARTMENT OF THE INTERIOR 


F 


C+ 


SMALL BUSINESS 
ADMINISTRATION 


C+ 


D- 


DEPARTMENT OF DEFENSE 


F 


D 


DEPARTMENT OF 
TRANSPORTATION 


C- 


A- 


DEPARTMENT OF STATE 


F 


D+ 


DEPARTMENT OF EDUCATION 


C- 


C 


DEPARTMENT OF HOMELAND 
SECURITY 


F 


F 


HOUSING AND URBAN 
DEVELOPMENT 


D+ 


F 


DEPARTMENT OF AGRICULTURE 


F 


F 



Prepared by the Government Reform Committee, chaired by Tom Davis, based on reports required by the Federal Information Security Management Act of 2002, 
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Federal Computer Security Grades 
2001-2005 



Agency 


2005 
Score 


2005 
Grade 


2004 
Score 


2004 
Grade 


2003 
Score 


2003 
Grade 


2002 
Score 


2002 
Grade 


2001 
Score 


2001 
Grade 


Agriculture 


24 


F 


49.5 


F 


40 


F 


36 


F 


31 


F 


AID 


100 


A+ 


99 


A+ 


70.5 


C- 


52 


F 


22 


F 


Commerce 


67 


D+ 


56.5 


F 


72.5 


C- 


68 


D+ 


51 


F 


DOD** 


38.75 


F 


65 


D 


65.5 


D 


38 


F 


40 


F 


Education 


71 


C- 


76.5 


C 


77 


C+ 


66 


D 


33 


F 


Energy 


46.75 


F 


48.5 


F 


59.5 


F 


41 


F 


51 


F 


EPA 


97.5 


A+ 


84 


B 


74.5 


C 


63 


D- 


69 


D+ 


GSA 


92.5 


A- 


79.5 


C+ 


65 


D 


64 


D 


66 


D 


HHS 


45.5 


F 


49.5 


F 


54 


F 


61 


D- 


43 


F 


DHS 


33.5 


F 


20.5 


F 


34 


F 


~ 


— 


— 


— 


HUD 


67.5 


D+ 


28 


F 


40 


F 


48 


F 


66 


D 


Interior 


41.5 


F 


77 


C+ 


43 


F 


37 


F 


48 


F 


Justice 


66.5 


D 


82.5 


B- 


55.5 


F 


56 


F 


50 


F 


Labor 


99 


A+ 


83 


B- 


86.5 


B 


79 


C+ 


56 


F 


NASA 


80 


B- 


60 


D- 


60.5 


D- 


68 


D+ 


70 


C- 


NRC 


60.5 


D- 


88 


B+ 


94.5 


A 


74 


C 


34 


F 


NSF 


95 


A 


77.5 


C+ 


90.5 


A- 


63 


D- 


87 


B+ 


OPM 


98 


A+ 


72.5 


c- 


61.5 


D- 


52 


F 


39 


F 


SBA 


78 


C+ 


60 


D- 


71 


C- 


48 


F 


48 


F 


SSA 


99 


A+ 


86 


B 


88 


B+ 


82 


B- 


79 


C+ 


State 


37.5 


F 


69.5 


D+ 


39.5 


F 


54 


F 


69 


D+ 


Transportation 


71.5 


C- 


91.5 


A- 


69 


D+ 


28 


F 


48 


F 


Treasury** 


60.5 


D- 


68 


D+ 


64 


D 


48 


F 


54 


F 


VA** 


46 


F 


50 


F 


76.5 


C 


50 


F 


44 


F 


Government- 
wide Average 


67.4 


D+ 


67.3 


D+ 


65 


D 


55 


F 


53 


F 



**The Inspector General for these agencies did not provide independent 
evaluations of their agencies' FISMA reports for FY03. Therefore these scores are 
based on self-reported numbers submitted by these agencies. 
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FISMA 


Reviewed by: 


2005 Scoring Methodology 


Reviewed o 


AGENCY NAME 


Report Grading Element 


FY05 Possible Points 


Agency/ 
Report 


CIO 

Scoring 


IG 

Scoring 


Final 
Scoring 


Total possible points: 


100 













A; Annual Testing 


20 


c 

w 
o 
H 

to 

D 

C 

c 

< 
< 











1 


The percentage of the agency's systems reviewed, including 


20 













i) 


The percentage of agency systems reviewed in FY05 was: 


10 













HIGH Impact Systems 


6 













a 


Between 90 and 100% 


6 










b 


Between 75 and 89% 


4 










c 


Between 60 and 74% 


2 










d 


Between 45 and 59% 


0.5 










e 


44% and less 













Moderate Impact Systems 


3 













a 


Between 90 and 100% 


3 










b 


Between 75 and 89% 


2 










c 


Between 60 and 74% 


1 










d 


Between 45 and 59% 


0.5 










e 


44% and less 













Low Impact Systems 


1 













a 


Between 96 and 100% 


1 










b 


Between 51 and 95% 


0.5 










c 


50% and less 













») 


The percentage of contractor operations or facilities reviewed 


10 













HIGH Impact Systems 


6 













a 


Between 90 and 100% 


6 










b 


Between 75 and 89% 


4 










c 


Between 60 and 74% 


2 










d 


Between 45 and 59% 


0.5 










e 


44% and less 













Moderate Impact Systems 


3 













a 


Between 90 and 100% 


3 










b 


Between 75 and 89% 


2 










c 


Between 60 and 74% 


1 










d 


Between 45 and 59% 


0.5 










e 


44% and less 













Low Impact Systems 


1 













a 


Between 96 and 100% 


1 










b 


Between 51and 95% 


0.5 










c 


50% and less 













ill) 


The agency performs oversight and evaluation to ensure 





FALSE 


FALSE 


FALSE 




OIG Evaluation 












a 


Between 96 and 100% (no points deducted from A1) 


0% 










b 


Between 51 and 95% (50% of points deducted) 


-50% 










c 


50% and less (100% of points deducted) 


-100% 








B. Plan of Action and Milestones (POA&M) 


15 


3 

0) 
CD 

.C 

o 

(0 

G) 

■u 

C" 
CO 

c 
o 

o 

< 

14. 

o 

c 
cu 

E 
m 











2 


Has the agency developed, implemented, and managing an 


15 
















The POA&M is an agency wide process, incorporating all 


3 













a 


Between 96 and 100% 


3 










b 


Between 81 and 95% 


2 










c 


Between 71 and 80% 


1 










d 


Between 51 and 70% 


0.5 










e 


50% and less 













H) 


When an IT security weakness is identified, program officials 


4 













a 


Between 96 and 100% 


4 










b 


Between 81 and 95% 


2 










c 


Between 71 and 80% 


1 










d 


Between 51 and 70% 


0.5 










e 


50% and less 













iii) 


Program officials, including contractors, report to the CIO on a 


1 













a 


Between 96 and 100% 


1 










b 


Between 51 and 95% 


0.5 










c 


50% and less 













iv) 


CIO centrally tracks, maintains, and reviews POA&M activities 


2 













a 


Between 96 and 100% 


2 










b 


Between 81 and 95% 


1.5 










c 


Between 71 and 80% 


1 










d 


Between 51 and 70% 


0.5 










e 


50% and less 













v) 


OIG findings are incorporated into the POA&M process. 


2 













a 


Between 96 and 100% 


2 










b 


Between 51 and 95% 


1 
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c 1 50% and less 















vi) 


POA&M process prioritizes IT security weaknesses to help 


3 













a 


Between 96 and 100% 


.... .3 










b 


Between 81 and 95% 


2 










c 


Between 71 and 80% 


1 










d 


Between 51 and 70% 


0.5 










e 


50% and less 











C. Certification and Accreditation (C&A) 


20 


< 
O 

c 
o 

CO 

•a 

b 

< 

•a 

c 

CO 

c 

O 
CO 

o 

o 
6 











3 


i) 


The percentage of systems that have been certified and 


12 













HIGH Impact Systems 


6 













a 


Between 90 and 100% 


L 6 










b 


Between 75 and 89% 


4 










c 


Between 60 and 74% 


3 










d 


Between 45 and 59% 


1 










e 


44% and less 













Moderate Impact Systems 


4 













a 


Between 90 and 100% 


4 










b 


Between 75 and 89% 


2 










c 


Between 60 and 74% 


1 










d 


Between 45 and 59% 


0.5 










e 


44% and less 













Low Impact Systems 


2 













a 


Between 90 and 100% 


2 










b 


Between 75 and 89% 


1.5 










c 


Between 60 and 74% 


1 










d 


Between 45 and 59% 


0.5 










e 


44% and less 













.«) 


The percentage of systems whose security controls have been 


4 








[ ° 




HIGH Impact Systems 


2 













a 


Between 90 and 100% 


2 










b 


Between 75 and 89% 


1.5 










c 


Between 60 and 74% 


1 










d 


Between 45 and 59% 


0.5 










e 


44% and less 













Moderate Impact Systems 


1.5 













a 


Between 96 and 100% 


1.5 










b 


Between 51 and 95% 


0.5 










c 


50% and less 













Low Impact Systems 


0.5 













a 


Between 96 and 100% 


0.5 










b 


95% and less 













iii) 


The percentage of systems that have a contingency plan that 


4 













HIGH Impact Systems 


2 













a 


Between 90 and 100% 


2 










b 


Between 75 and 89% 


1.5 










c 


Between 60 and 74% 


1 










d 


Between 45 and 59% 


0.5 










e 


44% and less 













Moderate Impact Systems 


1.5 













a 


Between 96 and 100% 


1.5 










b 


Between 51 and 95% 


0.5 










c 


50% and less 













Low Impact Systems 


0.5 













a 


Between 51 and 100% 


0.5 










b 


50% and less 













tv) 


OIG Assessment of the Certification and Accreditation Process 





FALSE 


FALSE 


FALSE 




OIG C&A Evaluation 












a 


Excellent, Good, Satisfactory (No Deduction from C&A score in 
question 6i ) 


0% 










b 


Poor (-1/2 of C&A points awarded in question 6t ) 


-50% 










c 


Failing ( -100% of C&A Points awarded in question 6i ) 


10% 








D. Con 


figuration Management 


20 













4 




Is there an agency wide security configuration policy? 


20 













a 


Yes 


20 










b 


No (Go to Section E, Question 7.i) 













Questions 1 through 11 only apply, if the agency has addressed the 












1. Windows XP Professional 
















a 


Between 81 and 100% or (N/A) 













b 


Between 71 and 80% 


-0.5 










c 


70% and less or (No) 


-1 










2. Windows NT 
















a 


Between 81 and 100% or (N/A) 













b 


Between 71 and 80% 


-0.5 
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m 








c |70% and less or (No) 


-1 


a 

E . 
o 

O) 

CO 

....•(- ... 

s 

c 
.2 

la 

'.'3 . 

• • tp; 

o 
o 

Q 










3, Windows 2000 Professional 
















a 


Between 81 and 100% or(N/A) 













b 


Between 71 and 80% 


-0.5 










c 


70% and less or (No) 


-1 










4. Windows 2000 Server 
















a 


Between 81 and 100% or (N/A) 


o 










b 


Between 71 and 80% 


-0,5 










c 


70% and less or (No) 


-1 










5. Windows 2003 Server 
















a 


Between 81 and 100% or (N/A) 













b 


Between 71 and 80% 


-0.5 










c 


70% and less or (No) 


-1 










6. Solaris 
















a 


Between 8tand 100% or (N/A) 













b 


Between 71 and 80% 


-0.5 










c 


70% and less or (No) 


-1 










7. HP-UX 
















a 


Between 81 and 100% or (N/A) 













b 


Between 71 and 80% 


-0.5 










c 


70% and less or (No) 


-1 










8. Linux 
















a 


Between 81 and 100% or (N/A) 













b 


Between 71 and 80% 


-0.5 










c 


70% and less or (No) 


-1 










9. Cisco Router IOS 
















a 


Between 81 and 100% or (N/A) 













b 


Between 71 and 80% 


-0.5 










c 


70% and less or (No) 


-1 










10. Oracle 
















a 


Between 81 and 100% or (N/A) 













b 


Between 71 and 80% 


-0.5 










c 


70% and less or (No) 


-1 










11. Other. Specify: 
















a 


Between 81 and 100% or (N/A) 













b 


Between 71 and 80% 


-0.5 










c 


70% and less or (No) 


-1 










H) 


na 


y... [rre ... d g erru ^... ao . c:u . ni . ;t;nteu .. |n ris secur)l y p Uin . res special 















a 


Yes (No deductions) 













b 


No (Loss of 4 points) 


-4 








E; Incident Detection and Response 


15 


•o 

c 

CO 

C 

o 

<J> o 

q a 
a> ce 

TJ 

o 

c 











5 


i) 


The agency follows documented policies and procedures for 


7 













a 


Yes 


7 










b 


No 













ii) 


ill 


b-ayency tohows nocumemeu policies anu pruceuures lur 


4 













a 


Yes 


4 










b 


No 













Hi 

) 


tn 

1 In 


y dyynuy lunuwb ueimeu uiuuyuures iui lepuiuuy tu me 


4 













a 


Yes 


4 










b 


No 























F. Trainin 




10 


c 

c 

UL 











8 


n'di 


s insray ency "ensureu security trat inn y "arwawareness" wan -' 


10 





L™ ° 










The percentage of agency employees (including contractors) 


4 













a 


Between 90 and 100% 


4 










b 


Between 75 and 89% 


3 










c 


Between 60 and 74% 


2 










d 


Between 45 and 59% 


1 










e 


44% and less 













») 


The percentage of employees with significant security 


4 













a 


Between 90 and 100% 


4 










b 


Between 75 and 89% 


3 










c 


Between 60 and 74% 


2 










d 


Between 45 and 59% 


1 










e 


44% and less 












Complete 
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Hi) 


The agency provided the total training costs for FY05. 


1 















a 


Yes 


1 










b 


No 













iv) 


i it 

eh 


smyuncy explains puncies reyarumg peer-iu-peerHie 


1 













a 


Yes 


1 










b 


No 











G. Inventory (No deductions or -10 maximum) 





o 2 











9 


What progress has the agency made to develop an inventory of 
















i) 


The agency has developed an inventory of major information 





Jr W 3 

> o JH 

C 3 £ 













a 


Between 96 and 100% 













b 


95% and less (Or the agency has no inventory) 


-10 










») 


The OIG generally agrees with the CIO on the number of 
















a 


Between 96 and 100% 













b 


95% and (ess 


-10 










Hi) 


The OIG generally agrees with the CIO on the number of 


















a 


Between 96 and 100% 


o 










b 


95% and less 


-10 








Possible extra credit questions 
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Does the agency have a plan in place to fully implement the 
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Has the agency begun to implement the security controls 
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How Grades Were Assigned 

The Committee's computer security grades are based on information contained in 
agencies 5 and Inspectors General's (IGs) Federal Information Security Management Act 
(FISMA) reports to the Office of Management and Budget (OMB) for fiscal year 2005. 

On December 17, 2002, the President signed into law the Electronic Government Act. 
Title III of that Act is the FISMA. FISMA lays out the framework for annual IT security 
reviews, reporting and remediation planning at federal agencies. FISMA requires that 
agency heads and IGs evaluate their agencies' computer security programs and report the 
results of those evaluations to OMB in September of each year along with their budget 
submissions. FISMA also requires that agency heads report the results of those 
evaluations annually to the Congress and the Government Accountability Office. 

OMB's 2005 reporting guidance instructed the agencies and IGs to submit reports 
summarizing the results of annual IT security reviews of systems and programs, agency 
progress on correcting identified weaknesses, and the results of other work performed 
during the reporting period. Agencies and IGs were required to use OMB's performance 
measures in assessing and reporting the status of their agencies' security programs. In 
addition, agencies were permitted to include additional performance measures they had 
developed. 



Assignment of Grades 

In assigning grades, the Committee followed the methodology developed for the fiscal 
year 2004 FISMA grades, with the exception of adjustments required by changes in 
OMB's FISMA reporting instructions (see below). This approach ensures consistency in 
the methodology used to assign grades and serves to highlight progress made by an 
agency if this year's grade indicates improvement. 

The weighted scores are based on OMB's performance metrics, with a perfect score 
totaling 100 points. OMB provided a range of responses for most questions. The number 
of points assigned to each response is proportional to the extent the element has been 
implemented. For example, agencies received zero (0) points for a response indicating a 
percentage that falls below an acceptable threshold (for example: 50% or less of known 
IT security weaknesses being incorporated in the Plan of Action and Milestones). 
Proportionally, more points were given for answers that ranged between 51 and 70%, 81 
and 95%, etc. The full weighted value was awarded for answers that ranged between 96 
and 100%. 



For more specific weighting of questions see the scoring methodology. 



"Ca^iJs9Pl<SSM 44 -J R Document 3-28 Filed 1 1/20/2006 Page 1 1 of 12 

complete 



Expanded Features ! 
B " ••" Unlimited Pages 



The Committee tallied the scores for the 24 agencies on the basis of its analysis of agency 
and IG responses. The final numerical score is the basis for the agency's letter grade. 
Letter grades for the 24 major departments and agencies were assigned as follows: 

90 to 93 = A- 94 to 96 = A 97 to 100 = A+ 

80 to 83 = B- 84 to 86 = B 87 to 89 -B+ 

70 to 73 = C- 74 to 76 = C 77 to 79 =C+ 

60 to 63 = D- 64 to 66 = D 67 to 69 =D+ 
59 and lower = F 

Major Changes to the Weighting of Grades 

Changes in OMB 's FISMA reporting instructions from FY04 to FY05 required the 
Committee to make several adjustments to the scoring methodology that was used to 
determine the FISMA grades. The major changes are listed below. 

To facilitate future consistency, the Committee continued using the following major 
categories: Annual Testing, Plan of Action and Milestones, Certification and 
Accreditation, Configuration Management, Incident Detection and Response, Training 
and Systems Inventory. Changes for each area are listed below. 

Annual Testing - Removed questions regarding the CIO and NIST self-assessment that 
are not included in OMB's FY05 FISMA reporting guidance. Expanded questions 
regarding the review of agency and contractor systems, to include impact levels. Added 
question regarding IGs' evaluation of the agency's oversight. If an IG indicates a range of 
96 to 100%, no points are taken; if between 51 and 95 % the agency loses half of its 
annual testing points; if 50% or less, the agency loses all annual testing points. 

Plan of Action and Milestones - Removed agency-related POA&M question since it is 
not in FY05 FISMA reporting guidance. All POA&M questions for FY05 FISMA 
reporting were directed to the IG. 

Certification and Accreditation - Removed question relating to security controls being 
integrated into the life cycle, as this issue is no longer a reporting requirement. Expanded 
questions to include impact levels — high, moderate, low. 

Configuration Management - Removed the question regarding the patching of security 
vulnerabilities and added a question regarding emerging technologies. 

Incident Response and Detection - Removed the question regarding systems undergoing 
vulnerability scans and penetration tests. 

Training - No changes made. 
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Inventory - Removed agency-related inventory question and added two new IG 
questions for a total of three questions. The IG must rate the agency at 96% to 100% for 
all three questions or a full letter grade will be deducted from the final score. 



Improvements still Needed 

Although many agencies reported improvements in their implementation of FISMA, such 
as certifying and accrediting a higher percentage of their systems and maintaining an 
inventory, much work is still needed to ensure federal information systems are secure. 
Areas of continued weaknesses include: 

• Annual Testing 

a. Some agencies reported large numbers of their systems as uncategorized. 
These agencies coincidentally all scored in the F range. 

b. While many agencies show improvements over last year in testing their 
contingency plans, several report testing under 60% of contingency plans 
for high- impact systems. 

• Configuration Management 

Many agencies have begun to develop or have these policies; however, several 
agencies continue to have a low level of implementation. 

• Incident Reporting 

Agencies continued to show inconsistencies in reporting incidents. Some agencies 
reported few or no incidents. Several reported less than half of all incidents to 
USCERT. 

• Training 

Most agencies have ensured that their employees have received security training 
and awareness; however, agencies are less successful in ensuring that those with 
significant security responsibilities receive specialized training. 

• Inventory 

Many agencies have not developed an inventory of major IT systems. 

• Overall 

Four of the largest agencies have failing scores: Treasury, DOD, DHS, USDA. 



